From: Lennart Poettering Date: Mon, 23 Jun 2025 12:40:25 +0000 (+0200) Subject: userdb: when loading a user record from JSON, mark 'secret' section in JSON variant... X-Git-Tag: v258-rc1~268^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F37935%2Fhead;p=thirdparty%2Fsystemd.git userdb: when loading a user record from JSON, mark 'secret' section in JSON variant as sensitive as side effect When we load a user record we retain a reference to the original JSON. Thus the loaded objects might live at least as long as our user record object, hence we better make sure we set the 'sensitive' flag for the 'secret' section if it's not marked like that yet. This is paranoia only: we already should be setting this flag properly earlier, when acquiring the json variant in the first place. But it's better to be safe than sorry. --- diff --git a/src/shared/user-record.c b/src/shared/user-record.c index 20f5d922464..09e96f0c9a5 100644 --- a/src/shared/user-record.c +++ b/src/shared/user-record.c @@ -1531,6 +1531,11 @@ int user_group_record_mangle( if (USER_RECORD_STRIP_MASK(load_flags) == _USER_RECORD_MASK_MAX) /* strip everything? */ return json_log(v, json_flags, SYNTHETIC_ERRNO(EINVAL), "Stripping everything from record, refusing."); + /* Extra safety: mark the "secret" part (that contains literal passwords and such) as sensitive, so + * that it is not included in debug output and erased from memory when we are done. We do this for + * any record that passes through here. */ + sd_json_variant_sensitive(sd_json_variant_by_key(v, "secret")); + /* Check if we have the special sections and if they match our flags set */ FOREACH_ELEMENT(i, mask_field) { sd_json_variant *e, *k;